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Abstract. Most modal logics such as S5, LTL, or ATL are extensions 
of Modal Logic K. While the model checking problems for LTL and to 
a lesser extent ATL have been very active research areas for the past 
decades, the model checking problem for the more basic Multi-agent 
Modal Logic K (mmlk) has important applications as a formal frame- 
work for perfect information multi-player games on its own. 
We present Minimal Proof Search (mps), an effort number based algo- 
rithm solving the model checking problem for MMLK. We prove two im- 
portant properties for MPS beyond its correctness. The (dis)proof exhib- 
ited by MPS is of minimal cost for a general definition of cost, and MPS is 
an optimal algorithm for finding (dis) proofs of minimal cost. Optimality 
means that any comparable algorithm either needs to explore a bigger 
or equal state space than MPS, or is not guaranteed to find a (dis)proof 
of minimal cost on every input. 

As such, our work relates to A* and AO* in heuristic search, to Proof 
Number Search and DFPN+ in two-player games, and to counterexample 
minimization in software model checking. 



1 Introduction 

Model checking for temporal logics such as LTL or CTL is a major research area 
with important applications in software and hardware verification [1]. Model 
checking for agent logics such as ATL or S 5 is now also regarded as an important 
topic with a variety of applications [17118111] . On the other hand. Modal Logic K 
is usually considered the basis upon which more elaborate modal logics are built, 
such as S5, PDL, LTL, CTL, or ATL pT^. Multi-agent Modal Logic K (MMLK) 
can also be used directly to model (sequential) perfect information games. 

In this article, we put forward a model checking algorithm for MMLK that 
we call Minimal Proof Search (MPS). As the name indicates, given a model 
checking problem q \= (j>, the MPS algorithm outputs a proof that q satisfies (poi & 
counterexample, this proof/counterexample being minimal for some definition of 
size. Perfect information games provide at least two motivations for small proofs. 
In game playing, people are usually interested in "short" proofs, for instance a 
CHESS player would rather deliver checkmate in three moves than in nine moves 



* A shorter version of this article appears in the proceedings of JELIA 2012. 



even if both options grant them the victory. In game solving, "compact" proofs 
can be stored and independently checked efficiently. 

In CTL model checking, finding a minimal witness/counterexample is NP- 
complete MMLK model checking, on the contrary, though PTiME-complete ^lO] . 
allows finding minimal witnesses/counterexamples relatively efficiently as we 
shall see in this article. 

Our goal is related both to heuristic search and software model checking. On 
one hand, the celebrated A* algorithm outputs a path of minimal cost from 
a starting state to a goal state. This path can be seen as the proof that the 
goal state is reachable, and the cost of the path is the size of the proof. On the 
other hand, finding small counterexamples is an important subject in software 
model checking. For a failure to meet a specification often indicates a bug in 
the program, and a small counterexample makes finding and correcting the bug 
easier [7]. 

Like A*, MPS is optimal, in the sense that any algorithm provided with the 
same information and guaranteed to find a proof of minimal size needs to do as 
many node expansions as MPS. 

The tableau-based model checking approach by Cleaveland for the /i-calculus 
seems to be similar to ours [6j, however it would need to be adapted to handle 
(dis)proof cost. Also, in our understanding, the proof procedure checkl presented 
by Cleaveland can be seen as an unguided depth first search while our approach 
is guided towards regions of minimal cost. 

The two algorithms most closely related to MPS are AO*, a generalization 
of A* to And/Or trees, and DFPN+ [13], a variant of DFPN, itself a depth-first 
variant of Proof Number Search (PNS) [T]. 

While And/Or trees are as expressive as the combination of MMLK and Game 
Automata (GAs), we believe that the separation of concerns between the logic 
and the Game Automaton is beneficial in practice. For instance, if the properties 
to be checked are encoded in the logic rather than in the graph, there is no need 
to rewrite the rules of CHESS if one is interested in finding helpmates instead of 
checkmates, or if one just wants to know if any piece can be captured in two 
moves from a given position. The encoding through an And/ Or graph would 
be different in every such situation while in our approach, only the modal logic 
formula needs to be adapted. Another advantage of MPS over AO* is that if the 
problem is not solvable, then MPS finds a minimal disproof while AO* does not 
provide such a guarantee^ 

DFPN+ is typically only used to find a winning strategy for either player in 
two-player games. MPS, on the contrary, can be applied to solve other interest- 
ing problems without a cumbersome And/Or graph prior conversion. Example 
of such problems range from finding ladders in two-player games to finiding para- 
noid wins in multi-player games. Another improvement over DFPN+ is that we 
allow for a variety of (dis)proof size definitions. While DFPN+ is set to minimize 

^ Following the convention in Proof Number Search, we use the term proof and dis- 
proof instead of witness and counterexample which are more common in the model 
checking literature. 



the total edge cost in the proof, we can imagine minimizing, say, the number of 
leaves or the depth of the (dis)proof. 

In his thesis, Nagai derived the DFPN algorithm from the equivalent best-first 
algorithm PNS [ISJ. Similarly, we can obtain a depth-first version of MPS from 
the best first search version presented here by adapting Nagai's transformation. 
Such a depth-first version should probably be favoured in practice, however we 
decided to present the best first version in this article for two main reasons. We 
believe the best-first search presentation is more accessible to the non-specialists. 
The proofs seemed to be easier to work through in the chosen setting, and they 
can later be extended to the depth-first setting. 

The remainder of this paper is structured as follows. In Sect. [5] we recall the 
definitions of Game Automaton (GA) and MMLK and formally define (dis)proofs 
for the corresponding model checking problem. Section[3]elaborates on the notion 
of (dis)proof cost and the associated basic admissible heuristic functions, it then 
proceeds with the presentation of the MPS algorithm. Finally, we prove the 
correctness of MPS, the minimality of the output (dis)proofs and the optimality 
of the algorithm in Sect. 01 A short discussion concludes the article. 

2 Definitions 

We define in this section various formal objects that will be used throughout 
the paper. The GA is the underlying system which is to be formally verified. 
The MMLK is the language to express the various properties we want to model 
check GAs against. Finally, a (dis)proof is a tree structure that shows whether 
a property is true on a state in a GA. 

2.1 Game Automata 

A GA is a kind of labelled transition system where both the states and the 
transitions are labelled. If a GA is interpreted as a perfect information game, 
then a transition corresponds to a move from one state to the next and its label 
is the player making that move. The state labels are domain specific information 
about states, for instance we could have a label for each triple (piece, owner, 
position) in CHESS-like games. Naturally, it is also possible to give a formal 
definition of GAs. 

Definition 1. A Game Automaton is a 5-tuple G = {P,E,Q,tt,6) with the 
following components: 

— P is a non-empty set of atoms (or state labels) 

— E is a non-empty finite set of agents (or transition labels) 

— Q is a set of game states 

— TT : Q — > 2^ maps each state q to its labels 

is a transition function that maps a state and an agent to 
a set of next states. 



In the following, we will use p, p', pi, . . . for atoms, a for an agent, and q, q' , 
qi, ... for game states. We write q ^ q' when g' G 6{q, a) and we read agent a 
can move from q to q' . Note that S returns the set of successors, so it need not 
be a partial function to allow for states without successors. If an agent a has no 
moves in a state q, we have S{q, a) — 0. 

2.2 Multi-agent Modal Logic K 

Following loosely [5], we define the Multi-agent Modal Logic K over a set of 
atoms P as the formulas we obtain by combining the negation and conjunction 
operators with a set of box operators, one per agent. 

Definition 2. The set T of well-formed Muhi-agent Modal Logic K (MMLK) 
formulas is defined inductively as (f> := p \ ->(/)' \ Oa(t>' \ (/"i A 02 where (j), (j)' , 
4>i,. . . stand for arbitrary MMLK formulas 

We can define the usual syntactic shortcuts for the disjunction and the dia- 
mond operators 0i V (/)2 ~'(~'</'i A ~"p2) and Oa "^^^ Da ~'<t'- The box operators 
convey necessity and the diamond operators convey possibility: Dq cj) can be read 
as it is necessary for agent a that (j), while Oa (j^ is it is possible for a that (p. 

2.3 The Model Checking Problem 

We can now interpret MMLK formulas over GAs via the satisfaction relation ^. 
Intuitively, a state in a GA constitutes the context of a formula, while a formula 
constitutes a property of a state. A formula might be satisfied in some contexts 
and not satisfied in other contexts, and some properties hold in a state while 
others do not. Determining whether a given formula 4> holds in a given state q 
(in a given implicit GA) is what is commonly referred to as the model checking 
problem. If it is the case, we write g |= otherwise we write q^ cj). 

It is possible to decide whether q ^ (j) hy examining the structure of (p, the 
labels of g, as well as the accessible states. 

Definition 3. The formulas satisfied by a state q can be constructed by induc- 
tion as follows. 

— If p is a label of q, that is if p G T^{q), then q ^ p; 

— if q ^ (/) then q ^ -xp; 

— if q \= 4>i and q \= (p2 then q \= (pi A (/)2; 

— if for all q' such that q q' , we have q' 1= (p, then q |= Dq (p. 

2.4 Proofs and Counterexamples 

In practice, we never explicitly construct the complete set of formulas satisfied 
by a state. So when some computation tells us that a formula (p is indeed (not) 
satisfied by a state g, some sort of evidence might be desirable. In software model 
checking, a model of the program replaces the GA, and a formula in a temporal 



logic acts as a specification of the program. If a correct model checker asserts 
that the program does not satisfy the specification, it means that the program 
or the specification contained a bug. In those cases, it can be very useful for the 
programmers to have access to an evidence by the model checker of the mismatch 
between the formula and the system as it is likely to lead them to the bug. 

In this section we give a formal definition of what constitutes a proof or 
a disproof for the class of model checking problems we are interested in. It is 
possible to relate the following definitions to the more general concept of tree-like 
counterexamples used in model checking ACTL fS]. 

Definition 4. An exploration tree for a formula (p in a state q is a tree with 
root n associated with a pair (g, (/)) with q a state and (j) a formula, such that n 
satisfies the following properties. 

— If n is associated with {q,p) with p E P, then it has no children; 

— if n is associated with (q, -'(p) then n has at most one child and it is an 
exploration tree associated with {q,(f>); 

— if a node n is associated with (q, 0i A then any child of n (if any) is an 
exploration tree associated with {q,4>i) or with (q, 02); 

— if a node n is associated with (q. Da 0) then any child of n (if any) is an 
exploration tree associated with (q', 0) for some q' such that q q' . 

— In any case, no two children of n are associated with the same pair. 

Unless stated otherwise, we will not distinguish between a tree and its root 
node. In the rest of the paper, n, n' , ni, . . .will be used to denote nodes in 
exploration trees. 

Definition 5. A proof (resp. a disproof^ that q \= (j) is an exploration tree with 
a root n associated with (q, 0) satisfying the following hypotheses. 

— If (j) — p with p E P, then p G 7r(q) (resp. p ^ 7r(q) ); 

— if (j) — -10', then n has exactly one child n' and this child is a disproof 
(resp. proof); 

— «/ = 01 A 02, then n has exactly two children ni and n2 such that ni is 
a proof that q \= (jji and n2 is a proof that q \^ 4>2 ( resp. n has exactly one 
child n' and n' is a disproof that q |= 0i or n' is a disproof that q \= 02 

— if (j) — Da 0', then n has exactly one child n' for each q ^ q' , and n' is a 
proof for q' ^ 0' (resp. n has exactly one child n' and n' is a disproof for 
q' \= 0' for some q q' ). 

3 Minimal Proof Search 

Let q ^ be a model checking problem and ui and n2 two proofs as defined in 
Sect. 12.41 Even if ni is not a subtree of n2, there might be reasons to prefer, ni 
over 712. For instance, we can imagine that ui contains fewer nodes than n2, or 
that the depth of ni is smaller than that of n2. 



3.1 Cost Functions 



To remain as general as possible with respect to the definitions of a small 
(dis)proof in the introduction, we introduce a cost function k as well as cost 
aggregators A/\ and A[j. These functions can then be instantiated in a domain 
dependent manner to get the optimal algorithm for the domain definition of min- 
imality. This approach has been used before in the context of A* and AO* |14| . 

We assume given a base cost function k : P ^ , as well as a conjunction 
cost aggregator : u{oo} _^ y |qo} and a box modal cost aggregator 
An : X N"^+u{oc} ^ K+ u {oo}^ where denotes the set of multisets 

of R+ U {oo}. 

We assume the aggregators are increasing in the sense that adding elements 
to the input increases the cost. For all costs x < y E U {oo}, multisets 
of costs X e u{oo}^ g^j^j g^Yl agents a, we have for the conjunction cost 
aggregator A/^{X) < A/\{{x} Li X) < A/^{{y} U X), and for the box aggregator 
Aaia, X) < Aa{a, {x} U X) < Aaia, {y} U X). 

We further assume that aggregating infinite costs results in infinite costs and 
that aggregating finite numbers of finite costs results in finite costs. For all costs 
X e M+, muhisets of costs X G N'*'*'u{oo}^ ^^^^ j^^. g^^j agents a, A^{{oo}) = 
An(a, {oo}) = oo and that A^{X) < oo =^ A^{{x}\JX) < oo and An(a, X) < 
00 =^ Aa{a, {x} U X) < oo. 

Note that in our presentation, there is no cost to a negation. The justification 
is that we want a proof aggregating over a disjunction to cost as much as a 
disproof aggregating over a conjunction with children of the same cost, without 
having to include the disjunction and the diamond operator in the base syntax. 

Given fc, A/\, and A\j, it is possible to define the global cost function for a 
(dis)proof as shown in Table [1] 

Table 1. Cost K of a proof or a disproof for a node n as a function of the base cost 
function k and the aggregators A/-, and Aq. C is the set of children of n. 



Label of n 


Children of n 


K{n) 


{<1,P) 




k{p) 


(9,-0) 




K{c) 


{q,(j)i A 02) 


C A^{{K{c) 


\ceC}) 




C Aa{a,{K{c) 


\cec}) 



Example 1. Suppose we are interested in the nested depth of the □ operators in 
the (dis)proof. Then we define fc = 0, — max, and A^{a,X) = 1 + maxX 
for all a. 

Example 2. Suppose we are interested in the number of atomic queries to the 
underlying system (the GA). Then we define fc = 1, A^{X) = X]^, 
An(a,X) = for all a. 



Example 3. Suppose we are interested in minimizing the amount of expansive 
interactions with the underlying system. Then we define A/^{X) = and 
A\2{a,X) = k\2^ +^X for aU a. In this case, we understand that k{p) is the 
price for querying p in any state, and /cq^ is the price for getting access to the 
transition function for agent a in any state. 

We define two heuristic functions / and J to estimate the minimal amount of 
interaction needed with the underlying system to say anything about a formula 
(p. These functions are defined in Table [2l is a lower bound on the minimal 
amount of interaction to prove cj) and J{<j>) is a lower bound on the minimal 
amount of interaction to disprove <j). 



Table 2. Definition of the heuristic functions / and J. 



Shape of <; 




J(0) 


P 


k[p) 


Kp) 








4>1 A (j)2 


A4{/(<^l),/(<^2)}) 




□a (t>' 


An(a,0) 


Aa{a,{J{^')}) 



The heuristics / and J are admissible, that is, they never overestimate the 
cost of a (dis)proof. 

Proposition 1. Given a formula (f>, for any state q, for any proof n that (f) 
(resp. disproof), I{(j)) < K{n) (resp. J{4>) < K{n)). 

Proof. We proceed by structural induction on the shape of formulas. For the 
base case </) = p, if n is a proof that q \= p, then the n label of n is {q,p) and its 
cost is K{n) = k{p), which is indeed greater or equal to I{p) — J{p) — k{p). 

For the induction case, take the formulas <j)i and 02 and assume that for any 
proofs (resp. disproofs) ni and n2, the cost is greater than the heuristic value: 
< K{ni) and /(^z) < i^K) (resp. J(0i) < i^(ni) and J(<^2) < K{n2)). 

For any proof (resp. disproof) n with label [q, -'(f'a) and child c, the cost of n is 
the cost of the disproof (resp. proof) c: K{n) = K{c). The disproof (resp. proof) 
c is associated with {q,(j)i) and we know from the induction hypothesis that 
J{4'i) < K{c) (resp. I{<j)i) < K{c)). By definition of the heuristics, /(0) — J{4>i) 
(resp. J(0) = therefore we have /(</)) < K{n) (resp. J[(j)) < K{n)). 

For any proof (resp. disproof) n with label {q,4>i A ^2) and children ci,C2 
(resp. child c), the cost of n is the sum of the costs of the children: K{n) — K{ci) + 
K{c2) (resp. K{n) — K{c)). The nodes ci and C2 are associated with {q, 0i) and 
{q,(j)2) (resp. c is associated with (9, (/>i) or to {q,(j)2)) and we know from the 
induction hypothesis that /(0i) < K{ci) and /(02) < ^{02) (resp. J{(j)i) < 
K{c) or J((^2) < K{c)). By definition of the heuristics, /((?!)) = I{4>i) + l[(t>2) 
(resp. J((/') — min{ J((/)i), J{(f)2)}), therefore we have 7(0) < K{n) (resp. J(0) < 
K{n)). 

The remaining case is very similar and is omitted. □ 



Lemma 1. For any formula <j), I{<j)) < oo and J{4>) < oo. 

Proof. We proceed by structural induction on 0. For the base case, (p = p, simply 
recall that the range of k is The induction case results directly from the 
assumptions on the aggregators. 

3.2 Best First Search framework 

We inscribe the MPS algorithm in a best first search framework inspired by game 
tree search. We then specify a function for initializing the leaves, a function 
to update tree after a leaf has been expanded, a selection function to decide 
which part of the tree to expand next, and a stopping condition for the overall 
algorithm. 

Algorithm[l]develops an exploration tree for a given state q and formula </). To 
be able to orient the search efRciently towards proving or disproving the model 
checking problem q \= 4> instead of just exploring, we need to attach additional 
information to the nodes beyond their (state, formula) label. This information 
takes the form of two effort numbers, called the minimal proof number and 
minimal disproof number. Given a node n associated with a pair {q,(l)), the 
minimal proof number of n, MPN(n), is an indication on the cost of a proof for 
q \= (j). Conversely, the minimal disproof number of n, MDN(n), is an indication 
on the cost of a disproof for q \= (j). For a more precise relationship between 
MPN(n) and the cost of a proof see Prop. El 

The algorithm stops when the minimal (dis)proof number reaches oo as it 
corresponds to the exploration tree containing a (dis)proof of minimal cost (see 
Prop.il). 

The values for the effort numbers in terminal leaves and in newly created 
leaves are defined in Table [31 The values for the effort numbers of an internal 
node as a function of its children are defined in Table [H Finally, the selection 
procedure base on the effort numbers to decide how to descend the global tree 
is given in Table |5l The stopping condition. Table El IH and El as well as Alg. [H 
together define Minimal Proof Search. 

The backpropagate procedure implements a small optimization known as 
the current node enhancement [Ij . Basically, if the information about a node n 
are not changed, then the information about the ancestors of n will not change 
either and so the next descend will reach n. Thus, it is possible to shortcut the 
process and start the next descent at n directly. 

4 Properties of MPS 

Before studying some theoretical properties of (dis)proofs, minimal (dis)proof 
numbers, and MPS, let us point out that for any exploration tree, not necessarily 
produced by MPS, we can associate to each node an MPN and an MDN by using 
the initialization described in Table El and the heredity rule described in Table IH 



hf sCstate q, formula (f>) 

r <— new node with label {q, 4>); 

r.info i— init-leaf (r) ; 

n r; 

while r ts not solved do 
while n is not a leaf do 

I n ■<— select-child (n); 
extend(n); 

n backpropagate (n) ; 
return r 

extend ('«0(ie n) 
switch on the label of n do 
case {q,p) 

I n.info •<— inf o-term(n) ; 
case (q, cj>i f\4>2) 

m <— new node with label {q,4}i); 
712 new node with label (g, 02); 
m.info ■<— init-leaf (ni); 
712. info init-leaf (n2); 
Add ni and n2 as children of n; 
case (g, -ic;*!) 

n' <— new node with label (g, 0i); 
n'.info <— init-leaf (n') ; 
Add n' as a child of n; 
case (g, □„ (pi) 

foreach g' in {g', g — > g'} do 
n' new node with label (g', 
n'.info init-leaf (n'); 
Add as child of n; 

backpropagate (node n) 
new_info update (n) ; 

if new_info — n.info W n — r then return n; 
else 

R.info <— new info; 

return backpropagate (n. parent) 

Algorithm 1: Generic pseudo-code for a best-first search algorithm. 
Table 3. Values for terminal nodes and initial values for leaves. 



Node label 


MPN MDN 


. ^ ^ {<1,P) where p £ 7r(g) 
info-term ; ( , j ) ( 

(q,p) where p f 7r(gj 


k{p) oo 
00 k{p) 


init-leaf (g, </>) 





Table 4. Determination of values for internal nodes. 



Node label 


Children 


MPN 


MDN 




{c} 


MDN(c) 


MPN(c) 


{q,<pi A (1)2) 


C A^({MPN(c; 


)\ceC}) 


mine ({MDN}) 




C An{a,{MPN{c, 


)\c€C}) 


mine ^0(0, {MDN}) 



Table 5. Selection policy. 



Node label 


Children 


Chosen child 




{c} 


c 


((J, A 02) 


C 


arg min^ Aa({MDN}) 


(5, □«</>) 


C 


arg min^ Aa{a, {MDN}) 



4.1 Correctness of the Algorithm 

The first property we want to prove about MPS is that the descent does not get 
stuck in a solved subtree. 

Proposition 2. For any internal node n with finite effort numbers, the child c 
selected by the procedure described in Table\^has finite effort numbers. MPN(ri) 7^ 
00 and MDN(n) ^ 00 imply MPN(c) 7^ 00 and MDN(c) ^ 00. 

Proof. If the formula associated with n has shape -^cj), then MDN(c) ~ MPN(n) ^ 
00 and MPN(c) = MDN(n) ^ 00. 

If the formula associated with n is a conjunction, then it suffices to note that 
no child of n has an infinite minimal proof number and at least one child has a 
finite minimal disproof number, and the result follows from the definition of the 
selection procedure. This also holds if the formula associated with n is of the 
form □£,(/>'. □ 

As a result, each descent ends in a non solved leaf. Either the associated formula 
is of the form p and the leaf gets solved, or the leaf becomes an internal node 
and its children are associated with structurally smaller formulas. 

Proposition 3. The MPS algorithm terminates in a finite number of steps. 

Proof. Let F be the set of lists of formulas ordered by decreasing structural 
complexity, that is, F = {I ~ ((/)o, . . . , (/)„)|n S N, 0o > ••• ^ Note that 

the lexicographical ordering (based on structural complexity) <i? is wellfounded 
on F. Recall that there is no infinite descending chains with respect to a well- 
founded relation. 

Consider at some time t the list It of formulas associated with the non solved 
leaves of the tree. Assuming that It is ordered by decreasing structural complexity, 
we have It ^ F. Observe that a step of the algorithm results in a list It+i smaller 
than It according to the lexicographical ordering and that successive steps of 
the algorithm result in a descending chain in F. Conclude that the algorithm 



terminates after a finite number of steps for any input formula (j) with associated 
list ^0 ^ {4>)- □ 



Since the algorithm terminates, we know that the root of the tree will even- 
tually be labelled with a infinite minimal (dis)proof number and thus will be 
solved. It remains to be shown that this definition of a solved tree coincides with 
containing (dis)proof starting at the root. 

Proposition 4. // a node n is associated with (g, (f>), then MDN(n) = oo (resp. 
MPN(n) = oo) if and only if the tree corresponding to n contains a proof 
(resp. disproof) that q \= (j) as a subtree with root n. 

Proof. We proceed by structural induction on the shape of trees. 

For the base case when n has no children, either (f) — p ot (p is not atomic. 
In the first case, n is a terminal node so contains a (dis)proof (n itself) and we 
obtain the result by definition of MPN nad MDN as per Table [3] In the second 
case, (j) is not atomic and n has no children so n does not contain a proof nor a 
disproof. Table [3] and Lemma [T] show that the effort numbers are both finite. 

For the induction case when (p = we know that n has one child c asso- 
ciated to (p' . If c contains a proof (resp. disproof) that q \= (j)', then n contains 
a disproof (resp. proof) that q \^ (p. By induction hypothesis, we know that 
MPN(c) — oo (resp. MDN(c) ~ oo) therefore, using Table 21 we know that 
MDN(n) = oo (resp. MPN(n) — oo). Conversely if c does not contain a proof 
nor a disproof, then n does not contain a proof nor a disproof, and we know 
from the induction hypothesis and Table H than MPN(?i) ^ MDN(c) < oo and 
MDN(n) = MPN(c) < oo. 

The other induction cases are similar but make use of the assumption that 
aggregating inifinite costs results in infinite costs and that aggregating finite 
numbers of finite costs results in finite costs. □ 

Theorem 1. The MPS algorithm takes a formula (p and a state q as arguments 
and returns after a finite number of steps an exploration tree that contains a 
(dis) proof that q \^ (f>. 

4.2 Minimality of the (Dis)Proofs 

Now that we know that MPS terminates and returns a tree containing a (dis)proof, 
we need to prove that this (dis)proof is of minimal cost. 

The two following propositions can be proved by a simple structural induction 
on the exploration tree, using Table [3] and the admissibility of / and J for the 
base case and Table 2] for the inductive case. 

Proposition 5. // a node n is solved, then the cost of the contained (dis)proof 
is given by the minimal (dis)proof number of n. 

Proof. Straightforward structural induction on the shape of the tree using the 
first half of Table [3] for the base case and Table 2] for the induction step. □ 



Proposition 6. // a node n is associated with {q,(j)), then for any proof m 
(resp. disproof) that q (j), we have MPN(n) < K{m) (resp. MDN(n) < K{m) ). 

Proof. Structural induction on the shape of the tree, using the second half of 
Tableland the admissibility of / and J (Prop.[T]) for the base case and Tabled 
for the inductive case. □ 

Since the aggregators for the cost function are increasing functions, then 
MPN(n) and MDN(n) are non decreasing as we add more nodes to the tree n. 

Proposition 7. For each disproved internal node n in a tree returned by the 
MPS algorithm, at least one of the children of n minimizing the MDN is dis- 
proved. 

Proof (Sketch). If we only increase the minimal (dis)proof number of a leaf, then 
for each ancestor, at least one of either the minimal proof number of the minimal 
disproof number remains constant. 

Take a disproved internal node n, and assume we used the selection procedure 
described in Table [5l On the iteration that lead to n being solved, the child c of 
n selected was minimizing the MDN and this number remained constant since 
MPN(c) raised from a finite value to oo. 

Since the MDN of the siblings of c have not changed, then c is still minimizing 
the MDN after it is solved. □ 

Combining Prop. [SI [HI and [71 we get the following theorem. 

Theorem 2. The tree returned by the MPS algorithm contains a (dis)proof of 
minimal cost. 



4.3 Optimality of the Algorithm 

The MPS algorithm is not optimal in the most general sense because it is pos- 
sible to have better algorithm in some cases by using transpositions, domain 
knowledge, or logical reasoning on the formula to be satisfied. 

For instance, take = Oa(p A -ip) and 02 some non trivial formula satisfied 
in a state q. If we run the MPS algorithm to prove that g |= 0iV02, it will explore 
at least a little the possibility of proving q \= before finding the minimal proof 
through (j>2 ■ We can imagine that a more "clever" algorithm would recognize that 
is never satisfiable and would directly find the minimal proof through 02 ■ 
Another possibility to outperform MPS is to make use of transpositions to 
shortcut some computations. MPS indeed explores structures according to the 
MMLK formula shape, and it is well-known in modal logic that bisimilar struc- 
tures cannot be distinguished by MMLK formulas. It is possible to express an 
algorithm similar to MPS that would take transpositions into account, adapting 
ideas from PNS |15ll2l8j . We chose not to do so in this article for simplicity 
reasons. 

Still, MPS can be considered optimal among the programs that do not use 
reasoning on the formula itself, transpositions or domain knowledge. Stating and 



proving this property formally is not conceptually hard, but we have not been 
able to find simple definitions and a short proof that would not submerge the 
reader with technicalities. Therefore we decided only to describe the main ideas 
of the argument from a high-level perspective. 

Definition 6. A pair {q',(j)') is similar to a pair {q,(j)) with respect to an ex- 
ploration tree n associated with (g, (j)) if q' can substitute for q and (j)' for (j) in 
n. 

Let n associated with {q, </>) be an exploration tree with a finite MPN (resp. MDN), 
then we can construct a pair (q', </>') similar to {q, (j)) with respect to n such that 
there is a proof that q' \= (j)' of cost exactly MPN(n) (resp. a disproof of cost 
MDN(n)). 

Definition 7. An algorithm A is purely exploratory if the following holds. Call 
n the tree returned by A when run on a pair {q,(f>). For every pair (q',(j)') sim- 
ilar to {q, 4>) with respect to n, running A on (g', 0') returns a tree structurally 
equivalent to n. 

Depth first search, if we were to return the explored tree, and MPS are both 
examples of purely exploratory algorithms. 

Proposition 8. // a purely exploratory algorithm A is run on a problem (q, (f>) 
and returns a solved exploration tree n where MPN(n) (resp. MDN(n) ) is smaller 
than the cost of the contained proof (resp. disproof), then we can construct a 
problem {q'^(j)') similar with respect to n such that A will return a structurally 
equivalent tree with the same proof (resp. disproof) while there exists a proof of 
cost MPN(n) (resp. disproof of cost MDN(n) ). 

Note that if the cost of a solved exploration tree n is equal to its MPN 
(resp. MDN), then we can make MPS construct a solved shared root subtree of n 
just by infiuencing the tie-breaking in the selection policy described in Tabled 

Theorem 3. // a purely exploratory algorithm A returns a solved exploration 
tree n, either this tree (or a subtree ) can be generated by MPS or A is not guar- 
anteed to return a tree containing a (dis)proof of minimal cost on all possible 
inputs. 

5 Conclusion and discussion 

We presented Minimal Proof Search (MPS), a model checking algorithm for 
MMLK. MPS has been proven correct, and it has been proved that the (dis)proof 
returned by MPS was minimizing a generic cost function. The only assumption 
about the cost function is that it is defined recursively using increasing aggrega- 
tors. Finally, we have shown that MPS was optimal among the purely exploratory 
model checking algorithms for MMLK. 

Nevertheless, the proposed approach has a few limitations. MPS is a best 
first search algorithm and is memory intensive; the cost functions addressed in 



the article cannot represent variable edge cost; and MPS cannot make use of 
transpositions in its present form. Still, we think that these limitations can be 
overcome in future work. 

We envision a depth-first adaptation of MPS similar to Nagai's transforma- 
tion of PNS into DFPN. Alternatively, we can draw inspiration from PN^ [T] 
and replace the heuristic functions / and J by a nested call to MPS, leading to 
an MPS^ algorithm trading time for memory. These two alternative algorithms 
would directly inherit the correctness and minimality theorems for MPS. The 
optimality theorem would also transpose in the depth-first case, but it would 
not be completely satisfactory. Indeed, even though the explored tree will still 
be admissibly minimal, several nodes inside the tree will have been forgotten 
and re-expanded multiple times. This trade-off is reminiscent of the one between 
A* and its depth-first variation IDA* [9J . 

Representing problems with unit edge costs is already possible within the 
framework presented in Sect. 13.11 It is not hard to adapt MPS to the more 
general case as we just need to replace the agent labels on the transitions with 
(agent, cost) labels. This more general perspective was not developed in this 
article because the notation would be heavier while it would not add much to 
the intuition and the general understanding of the ideas behind MPS. 

Finding minimal (dis)proofs while taking transpositions into account is more 
challenging because of the double count problem. While it is possible to obtain 
a correct algorithm returning minimal (dis)proofs by using functions based on 
propagating sets of individual costs instead of real values in Sect. 13.11 similarly 
to previous work in PNS [I2J, such a solution would hardly be efficient in prac- 
tice and would not necessarily be optimal. The existing literature on PNS and 
transpositions can certainly be helpful in addressing efficient handling of trans- 
positions in MMLK model checking |15I12I8| . 

Beside evaluating and improving the practical performance of MPS, future 
work can also study to which extent the ideas presented in this article can be 
applied to model checking problems in more elaborate modal logics and remain 
tractable. 
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